What is Texas HB-300 Compliance?

Texas HB-300 Compliance

Texas HB-300 compliance is compliance with Chapter 181 of the Texas Health and Safety Code relating to the privacy of medical records and the the amendments made to this chapter by HB-300 in 2011, SB-1609 in 2013, SB-219 in 2015, and SB-930 in 2021. It is important to be aware of these amendments as the provisions of the Texas Health and Safety Code can extend to organizations located outside of Texas. This article explains –

  • What is Chapter 181 of the Texas Health and Safety Code?
  • How was Chapter 181 of the Code amended by HB-300?
  • Who is required to comply with Chapter 181 and HB-300?
  • What does Texas HB-300 compliance consist of?
  • Conclusion and FAQs about Texas HB-300 compliance

What is Chapter 181 of the Texas Health and Safety Code?

Chapter 181 of the Texas Health and Safety Code is the section of the state’s Code relating to the privacy of medical records. The Chapter was created by the passage of the Texas Medical Records Privacy Act in 2001 to increase the privacy of Protected Health Information beyond that provided by the HIPAA Privacy Rule and therefore pre-empts HIPAA in specific circumstances.

The primary differences between the Chapter 181 of the Texas Health and Safety Code and the HIPAA Privacy Rule affect disclosures of psychotherapy notes, disclosures of PHI for marketing, and the re-identification of PHI after it has been de-identified – all of which have much stricter authorization requirements than the HIPAA Privacy Rule.

For organizations covered by both the Texas Health and Safety Code and HIPAA, it is important to be aware that even when Chapter 181 of the Texas Health and Safety Code adopts the same provisions as the HIPAA Privacy Rule, organizations in breach of the provisions can be fined by both HHS’ Office for Civil Rights and the Texas Attorney General for non-compliance.

How Was Chapter 181 of the Code Amended by HB-300?

Following the passage of the HITECH Act in 2009 and the creation of the Meaningful Use incentive program, the Texas legislature took steps to update Chapter 181 of the Code to reflect the increasing amount of health data that would be created, stored, and transmitted electronically. In May 2011, HB-300 was passed unopposed by both the House and the Senate.

HB-300 amended Chapter 181 of the Texas Health and Safety Code by placing limitations on disclosures of electronic PHI, tightening the requirements for patient authorizations, and reducing the amount of time healthcare providers had to respond to patients’ access requests when electronic PHI is stored on Electronic Health Records (EHRs).

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

HB-300 also gave the legislature the opportunity to introduce training requirements, increase the penalties for non-compliance with Chapter 181, and amend the breach notification rules – which, in Texas, apply to breaches of any personal data, not necessarily health data. (Note: the original HB-300 training requirements were amended by SB-1609 in 2013).

Who is required to comply with Chapter 181 and HB-300?

Unlike HIPAA – which only applies to qualifying health plans, health care clearinghouses, healthcare providers, and business associates – Chapter 181 of the Texas Health and Safety Code and HB-300 apply to any person or organization that assembles, collects, analyses, uses, evaluates, stores, or transmits Protected Health Information (as defined by HIPAA).

This not only means that HIPAA business associates in Texas (*) are considered covered entities under the Texas Health and Safety Code, but also many organizations that would not (under HIPAA) be required to comply with the privacy, security, and breach notification requirements – for example, sports teams, website owners, and IT service providers.

(*) Organizations outside of Texas are also required to comply with Chapter 181 of the Texas Health and Safety Code and HB-300 if they assemble, collect, analyze, use, evaluate, store, or transmit the PHI of a Texas citizen. This rule applies regardless of where an organization is located in the United States and where the Texas citizen was at the time PHI is assembled or collected.

What Does Texas HB-300 Compliance Consist Of?

For HIPAA covered entities and business associates, Texas HB-300 compliance consists of complying with all applicable provisions of the Texas Medical Records Privacy Act as amended by HB-300 that provide more privacy protections than HIPAA, give patients more rights over how their PHI is used and disclosed, or increase patients’ access rights.

Texas HB-300 compliance for non-HIPAA covered entities and business associates is not a lot different. Effectively, if an organization assembles, collects, analyses, uses, evaluates, stores, or transmits the PHI of a Texas citizen, the organization is required to implement policies and procedures to protect the privacy and security of the health data.

With regards to the non-privacy and security provisions introduced by Texas HB-300, all covered entities under Chapter 181 of the Texas Health and Safety Code are required to provide training to staff within 90 days of a staff member joining the workforce. It is also necessary to provide refresher training whenever there is a material change to state or federal laws.

Additionally, away from the Health and Safety Code, Texas HB-300 compliance consists of having policies and procedures in place to report breaches of sensitive personal information in compliance with Title 11 of the Texas Business and Commerce Code Section 521. Organizations subject to Texas HB-300 compliance should note the definition of sensitive personal information in Chapter 521 as it differs from the definition of PHI.

Conclusion and FAQs about Texas HB-300 Compliance

Texas HB-300 compliance is a serious matter. Organizations that are not usually subject to the HIPAA Privacy, Security, and Breach Notification Rules are required to implement safeguards to protect the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic PHI. Additionally, under the Business and Commerce Code, organizations are required to report breaches of all sensitive personal information to the Texas Attorney General.

The failure to comply with the Texas Health and Safety Code as amended by HB-300 can be expensive. The Texas Attorney General can issue civil monetary penalties of up to $250,000 for each violation of HB-300 – regardless of whether the violation results in a data breach. These penalties are on top of any civil monetary penalties issued by HHS’ Office for Civil Rights in respect of HIPAA violations.

Additionally, the failure to report breaches of sensitive personal information within the 30 days allows when a breach affects more than 250 individuals also attracts penalties. The Texas Attorney General can impose fines of $100 per breached record per day for a late notification (up to a maximum of $250,000). Again, these penalties are on top of any issued by HHS’ Office for Civil Rights in respect of violations of the HIPAA Breach Notification Rule.

Therefore, all organizations that assemble, collect, analyze, use, evaluate, store, or transmit the PHI of Texas citizens are advised to review their current privacy policies and security procedures to ensure they comply with the Texas Health and Safety Code. Any organizations unsure about their Texas HB-300 compliance obligations should seek advice from the Texas Health Services Authority or from a compliance professional.

FAQs

What is Texas HB-300?

Texas HB-300 is an amendment to the Texas Medical Records Privacy Act that was passed by the Texas legislature in May 2011. The amendment placed further requirements and limitations on uses and disclosures of electronic PHI to address concerns that the incentivization of EHRs via the Meaning Use program would increase the flow of electronic PHI and risks to data security.

What is the Texas Medical Records Privacy Act?

The Texas Medical Records Privacy Act is an Act passed by the Texas legislature in 2001 that created Chapter 181 of the Texas Health and Safety Code. The Act was passed in response to concerns that HIPAA did not protect the privacy of individually identifiable health information when it was collected, used, stored, or transmitted by organizations that did not classify as covered entities.

What are the training requirements under Texas HB-300?

The training requirements under Texas HB-300 are that all members of the workforce must be trained in applicable policies and procedures within 60 days and annually thereafter. The initial training requirement was changed in 2013 from 60 days to 90 days and the annual refresher training requirement removed – unless there is a material change to state or federal laws.

What is the purpose of Chapter 181 of the Texas Health and Safety Code?

The purpose of Chapter 181 of the Texas Health and Safety Code is to add further protections to the privacy of individually identifiable health information than those required by the HIPAA Privacy Rule. The Chapter achieves its purpose by extending the definition of a covered entity and limiting permissible uses and disclosures of PHI.

When does the Texas Health and Safety Code pre-empt the HIPAA Privacy Rule?

The Texas Health and Safety Code pre-empts the HIPAA Privacy Rule when it provides greater protection for the privacy of individually identifiable health information or provides more rights of patient access. Organizations should review Chapter 181 of the Texas Health and Safety Code to identify where these circumstances exist in relation to existing activities.

What changes did HB-300 bring to the Health and Safety Code Chapter 181?

The changes HB-300 brought to the Health and Safety Code Chapter 181 included limits on disclosures of electronic PHI, new patient authorization requirements, and a reduction in the time allowed to respond to patient access requests. HB-300 also introduced training requirements, increased the penalties for non-compliance, and amended existing breach notification rules.

Who is required to comply with the Texas Medical Records Privacy Act and HB-300?

The Texas Medical Records Privacy Act and HB-300 applies to any entity or individual that assembles, collects, analyses, uses, evaluates, stores, or transmits Protected Health Information relating to a citizen of Texas. This includes many organizations not typically covered by HIPAA, such as sports teams, website owners, and IT service providers.

What obligations do organizations outside Texas have regarding Texas HB-300 compliance?

The obligations organizations outside Texas have regarding Texas HB-300 compliance only apply if PHI relating to a Texas citizen is assembled, collected, analyzed, used, evaluated, stored, or transmitted. In such cases, the organization must protect the data as if it were located inside Texas and comply with the Breach Notification Rule if any sensitive personal information is breached.

How is sensitive personal information defined in Texas HB-300?

Sensitive personal information is defined in Texas HB-300 using the same definitive as appears in the Business and Commerce Code Chapter 521, Section 2. It is important to be aware there is a difference between the Texas Health and Safety Code’s definition of Protected Health Information (which has the same definition as HIPAA) and the definition of sensitive personal information.

What is the recommendation for organizations uncertain about their Texas HB-300 compliance obligations?

The recommendation for organizations uncertain about their Texas HB-300 compliance obligations is to seek professional advice. The Texas Health Services Authority is a good source of information about Texas HB-300 compliance for organizations in the private sector. Alternatively, there are many capable third party organizations advertising their services online.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/